From e5c08ddb0684ee7ebfcb85c64f20bc04db5a3029 Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Tue, 7 Jun 2022 10:27:00 -0400 Subject: [PATCH 1/7] Drop tuf client dependency on GCS client library Signed-off-by: Jason Hall --- go.mod | 2 -- go.sum | 8 -------- pkg/cosign/tuf/client.go | 2 +- pkg/cosign/tuf/store.go | 40 ++++++++++++++++++---------------------- 4 files changed, 19 insertions(+), 33 deletions(-) diff --git a/go.mod b/go.mod index 4b8c1778a80..8a3efb2900d 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,6 @@ module github.com/sigstore/cosign go 1.17 require ( - cloud.google.com/go/storage v1.22.1 cuelang.org/go v0.4.3 github.com/ThalesIgnite/crypto11 v1.2.5 github.com/armon/go-metrics v0.4.0 @@ -202,7 +201,6 @@ require ( github.com/google/uuid v1.3.0 // indirect github.com/googleapis/gax-go/v2 v2.4.0 // indirect github.com/googleapis/gnostic v0.5.5 // indirect - github.com/googleapis/go-type-adapters v1.0.0 // indirect github.com/gorilla/websocket v1.4.2 // indirect github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect diff --git a/go.sum b/go.sum index 2132ef50195..48fb09b926d 100644 --- a/go.sum +++ b/go.sum @@ -89,8 +89,6 @@ cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RX cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo= cloud.google.com/go/storage v1.18.2/go.mod h1:AiIj7BWXyhO5gGVmYJ+S8tbkCx3yb0IMjua8Aw4naVM= -cloud.google.com/go/storage v1.22.1 h1:F6IlQJZrZM++apn9V5/VfS3gbTUYg98PS3EMQAzqtfg= -cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= cloud.google.com/go/trace v0.1.0/go.mod h1:wxEwsoeRVPbeSkt7ZC9nWCgmoKQRAoySN7XHW2AmI7g= cloud.google.com/go/trace v1.0.0/go.mod h1:4iErSByzxkyHWzzlAj63/Gmjz0NH1ASqhJguHpGcr6A= code.gitea.io/sdk/gitea v0.11.3/go.mod h1:z3uwDV/b9Ls47NGukYM9XhnHtqPh/J+t40lsUrR6JDY= @@ -1184,11 +1182,9 @@ github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/licenseclassifier v0.0.0-20210325184830-bb04aff29e72/go.mod h1:qsqn2hxC+vURpyBRygGUuinTO42MFRLcsmQ/P8v94+M= github.com/google/mako v0.0.0-20190821191249-122f8dcef9e3/go.mod h1:YzLcVlL+NqWnmUEPuhS1LxDDwGO9WNbVlEXaF4IH35g= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= -github.com/google/martian v2.1.1-0.20190517191504-25dcb96d9e51+incompatible h1:xmapqc1AyLoB+ddYT6r04bD9lIjlOqGaREovi0SzFaE= github.com/google/martian v2.1.1-0.20190517191504-25dcb96d9e51+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= -github.com/google/martian/v3 v3.2.1 h1:d8MncMlErDFTwQGBK1xhv026j9kqhvw1Qv9IbWT1VLQ= github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= @@ -1241,8 +1237,6 @@ github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3i github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= github.com/googleapis/gnostic v0.5.5 h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw= github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= -github.com/googleapis/go-type-adapters v1.0.0 h1:9XdMn+d/G57qq1s8dNc5IesGCXHf6V2HZ2JwRxfA2tA= -github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQHCoQ= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= @@ -3136,7 +3130,6 @@ google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210331142528-b7513248f0ba/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210413151531-c14fb6ef47c3/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= @@ -3190,7 +3183,6 @@ google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= -google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220519153652-3a47de7e79bd/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= google.golang.org/genproto v0.0.0-20220527130721-00d5c0f3be58 h1:a221mAAEAzq4Lz6ZWRkcS8ptb2mxoxYSt4N68aRyQHM= google.golang.org/genproto v0.0.0-20220527130721-00d5c0f3be58/go.mod h1:yKyY4AMRwFiC8yMMNaMi+RkCnjZJt9LoWuvhXjMs+To= diff --git a/pkg/cosign/tuf/client.go b/pkg/cosign/tuf/client.go index 14268ec21cf..1d28128877c 100644 --- a/pkg/cosign/tuf/client.go +++ b/pkg/cosign/tuf/client.go @@ -685,7 +685,7 @@ func noCache() bool { func remoteFromMirror(ctx context.Context, mirror string) (client.RemoteStore, error) { if _, parseErr := url.ParseRequestURI(mirror); parseErr != nil { - return GcsRemoteStore(ctx, mirror, nil, nil) + return GCSRemoteStore(ctx, mirror, nil) } return client.HTTPRemoteStore(mirror, nil, nil) } diff --git a/pkg/cosign/tuf/store.go b/pkg/cosign/tuf/store.go index ea35403710d..52c20cef8ab 100644 --- a/pkg/cosign/tuf/store.go +++ b/pkg/cosign/tuf/store.go @@ -17,12 +17,12 @@ package tuf import ( "context" + "fmt" "io" + "net/http" "path" - "cloud.google.com/go/storage" "github.com/theupdateframework/go-tuf/client" - "google.golang.org/api/option" ) type GcsRemoteOptions struct { @@ -33,27 +33,18 @@ type GcsRemoteOptions struct { type gcsRemoteStore struct { bucket string ctx context.Context - client *storage.Client opts *GcsRemoteOptions } -// A remote store for TUF metadata on GCS. -func GcsRemoteStore(ctx context.Context, bucket string, opts *GcsRemoteOptions, client *storage.Client) (client.RemoteStore, error) { +// GCSRemoteStore is a remote store for TUF metadata on GCS. +func GCSRemoteStore(ctx context.Context, bucket string, opts *GcsRemoteOptions) (client.RemoteStore, error) { if opts == nil { opts = &GcsRemoteOptions{} } if opts.TargetsPath == "" { opts.TargetsPath = "targets" } - store := gcsRemoteStore{ctx: ctx, bucket: bucket, opts: opts, client: client} - if client == nil { - var err error - store.client, err = storage.NewClient(ctx, option.WithoutAuthentication()) - if err != nil { - return nil, err - } - } - return &store, nil + return &gcsRemoteStore{ctx: ctx, bucket: bucket, opts: opts}, nil } func (h *gcsRemoteStore) GetMeta(name string) (io.ReadCloser, int64, error) { @@ -64,15 +55,20 @@ func (h *gcsRemoteStore) GetTarget(name string) (io.ReadCloser, int64, error) { return h.get(path.Join(h.opts.TargetsPath, name)) } -func (h *gcsRemoteStore) get(s string) (io.ReadCloser, int64, error) { - obj := h.client.Bucket(h.bucket).Object(s) - attrs, err := obj.Attrs(h.ctx) +func (h *gcsRemoteStore) get(path string) (io.ReadCloser, int64, error) { + url := fmt.Sprintf("https://storage.googleapis.com/%s/%s", h.bucket, path) + resp, err := http.Get(url) if err != nil { - return nil, 0, client.ErrNotFound{File: s} + return nil, 0, client.ErrNotFound{File: path} } - rc, err := obj.NewReader(h.ctx) - if err != nil { - return nil, 0, err + switch resp.StatusCode { + case http.StatusOK: + return resp.Body, resp.ContentLength, nil + case http.StatusNotFound: + return nil, 0, client.ErrNotFound{File: path} + default: + defer resp.Body.Close() + all, _ := io.ReadAll(resp.Body) + return nil, 0, fmt.Errorf("GET %q: %s", url, string(all)) } - return rc, attrs.Size, nil } From 74e292d1b1c4e774910157418962ca921c55d377 Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Tue, 7 Jun 2022 10:50:10 -0400 Subject: [PATCH 2/7] Add more validation of bucket names, clean paths Signed-off-by: Jason Hall --- pkg/cosign/tuf/store.go | 28 ++++++++++++++++++--- pkg/cosign/tuf/store_test.go | 49 ++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+), 3 deletions(-) create mode 100644 pkg/cosign/tuf/store_test.go diff --git a/pkg/cosign/tuf/store.go b/pkg/cosign/tuf/store.go index 52c20cef8ab..b8892a326d6 100644 --- a/pkg/cosign/tuf/store.go +++ b/pkg/cosign/tuf/store.go @@ -21,10 +21,16 @@ import ( "io" "net/http" "path" + "regexp" + "strings" "github.com/theupdateframework/go-tuf/client" ) +// This is a partial validation. +// Full bucket naming rules here: https://cloud.google.com/storage/docs/naming-buckets +var bucketRE = regexp.MustCompile("^[a-z0-9][a-z0-9-_.]{1,61}[a-z0-9]$") + type GcsRemoteOptions struct { MetadataPath string TargetsPath string @@ -36,6 +42,19 @@ type gcsRemoteStore struct { opts *GcsRemoteOptions } +func validBucketName(b string) bool { + if !bucketRE.MatchString(b) { + return false + } + if strings.HasPrefix(b, "goog") { + return false + } + if strings.Contains(b, "google") { + return false + } + return true +} + // GCSRemoteStore is a remote store for TUF metadata on GCS. func GCSRemoteStore(ctx context.Context, bucket string, opts *GcsRemoteOptions) (client.RemoteStore, error) { if opts == nil { @@ -44,19 +63,22 @@ func GCSRemoteStore(ctx context.Context, bucket string, opts *GcsRemoteOptions) if opts.TargetsPath == "" { opts.TargetsPath = "targets" } + if !validBucketName(bucket) { + return nil, fmt.Errorf("bucket name %q is invalid", bucket) + } return &gcsRemoteStore{ctx: ctx, bucket: bucket, opts: opts}, nil } func (h *gcsRemoteStore) GetMeta(name string) (io.ReadCloser, int64, error) { - return h.get(path.Join(h.opts.MetadataPath, name)) + return h.get(path.Clean(path.Join(h.opts.MetadataPath, name))) } func (h *gcsRemoteStore) GetTarget(name string) (io.ReadCloser, int64, error) { - return h.get(path.Join(h.opts.TargetsPath, name)) + return h.get(path.Clean(path.Join(h.opts.TargetsPath, name))) } func (h *gcsRemoteStore) get(path string) (io.ReadCloser, int64, error) { - url := fmt.Sprintf("https://storage.googleapis.com/%s/%s", h.bucket, path) + url := fmt.Sprintf("https://%s.storage.googleapis.com/%s", h.bucket, path) resp, err := http.Get(url) if err != nil { return nil, 0, client.ErrNotFound{File: path} diff --git a/pkg/cosign/tuf/store_test.go b/pkg/cosign/tuf/store_test.go new file mode 100644 index 00000000000..59b3582873c --- /dev/null +++ b/pkg/cosign/tuf/store_test.go @@ -0,0 +1,49 @@ +// +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package tuf + +import "testing" + +func TestValidBucketName(t *testing.T) { + for _, good := range []string{ + "sigstore-tuf-root", + "a1z", + "0z0", + "a-z", // internal dashes are allowed. + "a_z", // internal underscores are allowed. + "hello.example.com", + } { + t.Run(good, func(t *testing.T) { + if !validBucketName(good) { + t.Error("expected bucket name to be valid") + } + }) + } + + for _, bad := range []string{ + "goog-prefix", + "contains-google", + "-starts-with-dash", + "ends-with-dash-", + "too-much-YELLING", + } { + t.Run(bad, func(t *testing.T) { + if validBucketName(bad) { + t.Error("expected bucket name to be invalid") + } + }) + } +} From 7dfacd6694b91deef2349348d238e5458424f4f7 Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Tue, 7 Jun 2022 11:25:40 -0400 Subject: [PATCH 3/7] update-deps.sh Signed-off-by: Jason Hall --- go.mod | 82 +++---- pkg/cosign/tuf/store.go | 2 +- .../cloud.google.com/go/internal/LICENSE | 202 ------------------ .../cloud.google.com/go/storage/LICENSE | 202 ------------------ .../go-type-adapters/adapters/LICENSE | 202 ------------------ .../golang.org/x/xerrors/LICENSE | 27 --- 6 files changed, 42 insertions(+), 675 deletions(-) delete mode 100644 third_party/VENDOR-LICENSE/cloud.google.com/go/internal/LICENSE delete mode 100644 third_party/VENDOR-LICENSE/cloud.google.com/go/storage/LICENSE delete mode 100644 third_party/VENDOR-LICENSE/github.com/googleapis/go-type-adapters/adapters/LICENSE delete mode 100644 third_party/VENDOR-LICENSE/golang.org/x/xerrors/LICENSE diff --git a/go.mod b/go.mod index 8a3efb2900d..bbd54dce338 100644 --- a/go.mod +++ b/go.mod @@ -5,55 +5,24 @@ go 1.17 require ( cuelang.org/go v0.4.3 github.com/ThalesIgnite/crypto11 v1.2.5 - github.com/armon/go-metrics v0.4.0 - github.com/armon/go-radix v1.0.0 github.com/aws/aws-sdk-go-v2 v1.16.4 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220228164355-396b2034c795 - github.com/cenkalti/backoff/v3 v3.2.2 github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b github.com/go-openapi/runtime v0.24.1 github.com/go-openapi/strfmt v0.21.2 github.com/go-openapi/swag v0.21.1 github.com/go-piv/piv-go v1.9.0 - github.com/golang/protobuf v1.5.2 - github.com/golang/snappy v0.0.4 github.com/google/certificate-transparency-go v1.1.2 github.com/google/go-cmp v0.5.8 github.com/google/go-containerregistry v0.8.1-0.20220209165246-a44adc326839 github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20220413173345-f1b065c6cb3d github.com/google/go-github/v42 v42.0.0 - github.com/hashicorp/errwrap v1.1.0 - github.com/hashicorp/go-cleanhttp v0.5.2 - github.com/hashicorp/go-hclog v1.2.0 - github.com/hashicorp/go-immutable-radix v1.3.1 - github.com/hashicorp/go-multierror v1.1.1 - github.com/hashicorp/go-plugin v1.4.4 - github.com/hashicorp/go-retryablehttp v0.7.1 - github.com/hashicorp/go-rootcerts v1.0.2 - github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 - github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 - github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 - github.com/hashicorp/go-sockaddr v1.0.2 - github.com/hashicorp/go-uuid v1.0.3 - github.com/hashicorp/go-version v1.5.0 - github.com/hashicorp/golang-lru v0.5.4 - github.com/hashicorp/hcl v1.0.0 - github.com/hashicorp/vault/sdk v0.5.0 - github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf github.com/kelseyhightower/envconfig v1.4.0 - github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e github.com/manifoldco/promptui v0.9.0 github.com/miekg/pkcs11 v1.1.1 - github.com/mitchellh/copystructure v1.2.0 - github.com/mitchellh/go-homedir v1.1.0 - github.com/mitchellh/go-testing-interface v1.14.1 - github.com/mitchellh/mapstructure v1.5.0 - github.com/oklog/run v1.1.0 github.com/open-policy-agent/opa v0.35.0 - github.com/pierrec/lz4 v2.6.1+incompatible - github.com/ryanuber/go-glob v1.0.0 github.com/secure-systems-lab/go-securesystemslib v0.4.0 github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7 github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3 @@ -64,23 +33,13 @@ require ( github.com/spiffe/go-spiffe/v2 v2.1.0 github.com/stretchr/testify v1.7.2 github.com/theupdateframework/go-tuf v0.3.0 - github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 github.com/transparency-dev/merkle v0.0.1 github.com/withfig/autocomplete-tools/packages/cobra v0.0.0-20220122124547-31d3821a6898 github.com/xanzy/go-gitlab v0.68.0 - go.uber.org/atomic v1.9.0 go.uber.org/zap v1.21.0 - golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 - golang.org/x/net v0.0.0-20220526153639-5463443f8c37 golang.org/x/oauth2 v0.0.0-20220524215830-622c5d57e401 - golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 - golang.org/x/time v0.0.0-20220411224347-583f2d630306 google.golang.org/api v0.82.0 - google.golang.org/grpc v1.47.0 - google.golang.org/protobuf v1.28.0 - gopkg.in/square/go-jose.v2 v2.6.0 - gopkg.in/yaml.v2 v2.4.0 k8s.io/api v0.23.5 k8s.io/apimachinery v0.23.5 k8s.io/client-go v0.23.5 @@ -120,6 +79,8 @@ require ( github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/ReneKroon/ttlcache/v2 v2.11.0 // indirect + github.com/armon/go-metrics v0.4.0 // indirect + github.com/armon/go-radix v1.0.0 // indirect github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect github.com/aws/aws-sdk-go v1.43.45 // indirect github.com/aws/aws-sdk-go-v2/config v1.14.0 // indirect @@ -141,6 +102,7 @@ require ( github.com/blang/semver/v4 v4.0.0 // indirect github.com/blendle/zapdriver v1.3.1 // indirect github.com/bytecodealliance/wasmtime-go v0.33.1 // indirect + github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e // indirect @@ -193,6 +155,8 @@ require ( github.com/golang/glog v1.0.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/mock v1.6.0 // indirect + github.com/golang/protobuf v1.5.2 // indirect + github.com/golang/snappy v0.0.4 // indirect github.com/google/btree v1.0.1 // indirect github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20220301182634-bfe2ffc6b6bd // indirect github.com/google/go-querystring v1.1.0 // indirect @@ -205,7 +169,25 @@ require ( github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect + github.com/hashicorp/errwrap v1.1.0 // indirect + github.com/hashicorp/go-cleanhttp v0.5.2 // indirect + github.com/hashicorp/go-hclog v1.2.0 // indirect + github.com/hashicorp/go-immutable-radix v1.3.1 // indirect + github.com/hashicorp/go-multierror v1.1.1 // indirect + github.com/hashicorp/go-plugin v1.4.4 // indirect + github.com/hashicorp/go-retryablehttp v0.7.1 // indirect + github.com/hashicorp/go-rootcerts v1.0.2 // indirect + github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 // indirect + github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect + github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect + github.com/hashicorp/go-sockaddr v1.0.2 // indirect + github.com/hashicorp/go-uuid v1.0.3 // indirect + github.com/hashicorp/go-version v1.5.0 // indirect + github.com/hashicorp/golang-lru v0.5.4 // indirect + github.com/hashicorp/hcl v1.0.0 // indirect github.com/hashicorp/vault/api v1.5.0 // indirect + github.com/hashicorp/vault/sdk v0.5.0 // indirect + github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 // indirect github.com/imdario/mergo v0.3.12 // indirect github.com/inconshreveable/mousetrap v1.0.0 // indirect github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 // indirect @@ -216,16 +198,22 @@ require ( github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/compress v1.14.2 // indirect github.com/leodido/go-urn v1.2.1 // indirect + github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e // indirect github.com/magiconair/properties v1.8.6 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.12 // indirect github.com/mattn/go-isatty v0.0.14 // indirect github.com/mattn/go-runewidth v0.0.13 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect + github.com/mitchellh/copystructure v1.2.0 // indirect + github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/mitchellh/go-testing-interface v1.14.1 // indirect + github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de // indirect + github.com/oklog/run v1.1.0 // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/olekukonko/tablewriter v0.0.5 // indirect github.com/onsi/ginkgo v1.16.5 // indirect @@ -234,6 +222,7 @@ require ( github.com/opentracing/opentracing-go v1.2.0 // indirect github.com/pelletier/go-toml v1.9.5 // indirect github.com/pelletier/go-toml/v2 v2.0.1 // indirect + github.com/pierrec/lz4 v2.6.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_golang v1.12.1 // indirect @@ -245,6 +234,7 @@ require ( github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect github.com/rivo/uniseg v0.2.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect + github.com/ryanuber/go-glob v1.0.0 // indirect github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect github.com/segmentio/ksuid v1.0.4 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect @@ -258,6 +248,7 @@ require ( github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect github.com/thales-e-security/pool v0.0.2 // indirect + github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect github.com/urfave/cli v1.22.5 // indirect github.com/vbatts/tar-split v0.11.2 // indirect @@ -290,20 +281,29 @@ require ( go.opentelemetry.io/otel/sdk/metric v0.20.0 // indirect go.opentelemetry.io/otel/trace v0.20.0 // indirect go.opentelemetry.io/proto/otlp v0.12.0 // indirect + go.uber.org/atomic v1.9.0 // indirect go.uber.org/automaxprocs v1.4.0 // indirect go.uber.org/multierr v1.7.0 // indirect + golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect + golang.org/x/net v0.0.0-20220526153639-5463443f8c37 // indirect golang.org/x/sync v0.0.0-20220513210516-0976fa681c29 // indirect + golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect golang.org/x/text v0.3.7 // indirect + golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect golang.org/x/tools v0.1.10 // indirect golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20220527130721-00d5c0f3be58 // indirect + google.golang.org/grpc v1.47.0 // indirect + google.golang.org/protobuf v1.28.0 // indirect gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.66.4 // indirect gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect + gopkg.in/square/go-jose.v2 v2.6.0 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.23.4 // indirect k8s.io/gengo v0.0.0-20220307231824-4627b89bbf1b // indirect diff --git a/pkg/cosign/tuf/store.go b/pkg/cosign/tuf/store.go index b8892a326d6..b4b44597719 100644 --- a/pkg/cosign/tuf/store.go +++ b/pkg/cosign/tuf/store.go @@ -79,7 +79,7 @@ func (h *gcsRemoteStore) GetTarget(name string) (io.ReadCloser, int64, error) { func (h *gcsRemoteStore) get(path string) (io.ReadCloser, int64, error) { url := fmt.Sprintf("https://%s.storage.googleapis.com/%s", h.bucket, path) - resp, err := http.Get(url) + resp, err := http.Get(url) // nolint:gosec if err != nil { return nil, 0, client.ErrNotFound{File: path} } diff --git a/third_party/VENDOR-LICENSE/cloud.google.com/go/internal/LICENSE b/third_party/VENDOR-LICENSE/cloud.google.com/go/internal/LICENSE deleted file mode 100644 index d6456956733..00000000000 --- a/third_party/VENDOR-LICENSE/cloud.google.com/go/internal/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/third_party/VENDOR-LICENSE/cloud.google.com/go/storage/LICENSE b/third_party/VENDOR-LICENSE/cloud.google.com/go/storage/LICENSE deleted file mode 100644 index d6456956733..00000000000 --- a/third_party/VENDOR-LICENSE/cloud.google.com/go/storage/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/third_party/VENDOR-LICENSE/github.com/googleapis/go-type-adapters/adapters/LICENSE b/third_party/VENDOR-LICENSE/github.com/googleapis/go-type-adapters/adapters/LICENSE deleted file mode 100644 index ff9ad4530f5..00000000000 --- a/third_party/VENDOR-LICENSE/github.com/googleapis/go-type-adapters/adapters/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - https://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/third_party/VENDOR-LICENSE/golang.org/x/xerrors/LICENSE b/third_party/VENDOR-LICENSE/golang.org/x/xerrors/LICENSE deleted file mode 100644 index e4a47e17f14..00000000000 --- a/third_party/VENDOR-LICENSE/golang.org/x/xerrors/LICENSE +++ /dev/null @@ -1,27 +0,0 @@ -Copyright (c) 2019 The Go Authors. All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - - * Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following disclaimer -in the documentation and/or other materials provided with the -distribution. - * Neither the name of Google Inc. nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. From 65641cce29a2d743815425b0fb7e1fa542db6f57 Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Tue, 7 Jun 2022 11:37:03 -0400 Subject: [PATCH 4/7] remove GCSRemoteStore Signed-off-by: Jason Hall --- go.mod | 82 +++++++++++++++--------------- pkg/cosign/tuf/client.go | 15 +++--- pkg/cosign/tuf/store.go | 96 ------------------------------------ pkg/cosign/tuf/store_test.go | 49 ------------------ 4 files changed, 49 insertions(+), 193 deletions(-) delete mode 100644 pkg/cosign/tuf/store.go delete mode 100644 pkg/cosign/tuf/store_test.go diff --git a/go.mod b/go.mod index bbd54dce338..8a3efb2900d 100644 --- a/go.mod +++ b/go.mod @@ -5,24 +5,55 @@ go 1.17 require ( cuelang.org/go v0.4.3 github.com/ThalesIgnite/crypto11 v1.2.5 + github.com/armon/go-metrics v0.4.0 + github.com/armon/go-radix v1.0.0 github.com/aws/aws-sdk-go-v2 v1.16.4 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220228164355-396b2034c795 + github.com/cenkalti/backoff/v3 v3.2.2 github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b github.com/go-openapi/runtime v0.24.1 github.com/go-openapi/strfmt v0.21.2 github.com/go-openapi/swag v0.21.1 github.com/go-piv/piv-go v1.9.0 + github.com/golang/protobuf v1.5.2 + github.com/golang/snappy v0.0.4 github.com/google/certificate-transparency-go v1.1.2 github.com/google/go-cmp v0.5.8 github.com/google/go-containerregistry v0.8.1-0.20220209165246-a44adc326839 github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20220413173345-f1b065c6cb3d github.com/google/go-github/v42 v42.0.0 + github.com/hashicorp/errwrap v1.1.0 + github.com/hashicorp/go-cleanhttp v0.5.2 + github.com/hashicorp/go-hclog v1.2.0 + github.com/hashicorp/go-immutable-radix v1.3.1 + github.com/hashicorp/go-multierror v1.1.1 + github.com/hashicorp/go-plugin v1.4.4 + github.com/hashicorp/go-retryablehttp v0.7.1 + github.com/hashicorp/go-rootcerts v1.0.2 + github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 + github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 + github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 + github.com/hashicorp/go-sockaddr v1.0.2 + github.com/hashicorp/go-uuid v1.0.3 + github.com/hashicorp/go-version v1.5.0 + github.com/hashicorp/golang-lru v0.5.4 + github.com/hashicorp/hcl v1.0.0 + github.com/hashicorp/vault/sdk v0.5.0 + github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf github.com/kelseyhightower/envconfig v1.4.0 + github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e github.com/manifoldco/promptui v0.9.0 github.com/miekg/pkcs11 v1.1.1 + github.com/mitchellh/copystructure v1.2.0 + github.com/mitchellh/go-homedir v1.1.0 + github.com/mitchellh/go-testing-interface v1.14.1 + github.com/mitchellh/mapstructure v1.5.0 + github.com/oklog/run v1.1.0 github.com/open-policy-agent/opa v0.35.0 + github.com/pierrec/lz4 v2.6.1+incompatible + github.com/ryanuber/go-glob v1.0.0 github.com/secure-systems-lab/go-securesystemslib v0.4.0 github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7 github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3 @@ -33,13 +64,23 @@ require ( github.com/spiffe/go-spiffe/v2 v2.1.0 github.com/stretchr/testify v1.7.2 github.com/theupdateframework/go-tuf v0.3.0 + github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 github.com/transparency-dev/merkle v0.0.1 github.com/withfig/autocomplete-tools/packages/cobra v0.0.0-20220122124547-31d3821a6898 github.com/xanzy/go-gitlab v0.68.0 + go.uber.org/atomic v1.9.0 go.uber.org/zap v1.21.0 + golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 + golang.org/x/net v0.0.0-20220526153639-5463443f8c37 golang.org/x/oauth2 v0.0.0-20220524215830-622c5d57e401 + golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 + golang.org/x/time v0.0.0-20220411224347-583f2d630306 google.golang.org/api v0.82.0 + google.golang.org/grpc v1.47.0 + google.golang.org/protobuf v1.28.0 + gopkg.in/square/go-jose.v2 v2.6.0 + gopkg.in/yaml.v2 v2.4.0 k8s.io/api v0.23.5 k8s.io/apimachinery v0.23.5 k8s.io/client-go v0.23.5 @@ -79,8 +120,6 @@ require ( github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/ReneKroon/ttlcache/v2 v2.11.0 // indirect - github.com/armon/go-metrics v0.4.0 // indirect - github.com/armon/go-radix v1.0.0 // indirect github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect github.com/aws/aws-sdk-go v1.43.45 // indirect github.com/aws/aws-sdk-go-v2/config v1.14.0 // indirect @@ -102,7 +141,6 @@ require ( github.com/blang/semver/v4 v4.0.0 // indirect github.com/blendle/zapdriver v1.3.1 // indirect github.com/bytecodealliance/wasmtime-go v0.33.1 // indirect - github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e // indirect @@ -155,8 +193,6 @@ require ( github.com/golang/glog v1.0.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/mock v1.6.0 // indirect - github.com/golang/protobuf v1.5.2 // indirect - github.com/golang/snappy v0.0.4 // indirect github.com/google/btree v1.0.1 // indirect github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20220301182634-bfe2ffc6b6bd // indirect github.com/google/go-querystring v1.1.0 // indirect @@ -169,25 +205,7 @@ require ( github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect - github.com/hashicorp/errwrap v1.1.0 // indirect - github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/hashicorp/go-hclog v1.2.0 // indirect - github.com/hashicorp/go-immutable-radix v1.3.1 // indirect - github.com/hashicorp/go-multierror v1.1.1 // indirect - github.com/hashicorp/go-plugin v1.4.4 // indirect - github.com/hashicorp/go-retryablehttp v0.7.1 // indirect - github.com/hashicorp/go-rootcerts v1.0.2 // indirect - github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 // indirect - github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect - github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect - github.com/hashicorp/go-sockaddr v1.0.2 // indirect - github.com/hashicorp/go-uuid v1.0.3 // indirect - github.com/hashicorp/go-version v1.5.0 // indirect - github.com/hashicorp/golang-lru v0.5.4 // indirect - github.com/hashicorp/hcl v1.0.0 // indirect github.com/hashicorp/vault/api v1.5.0 // indirect - github.com/hashicorp/vault/sdk v0.5.0 // indirect - github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 // indirect github.com/imdario/mergo v0.3.12 // indirect github.com/inconshreveable/mousetrap v1.0.0 // indirect github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 // indirect @@ -198,22 +216,16 @@ require ( github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/compress v1.14.2 // indirect github.com/leodido/go-urn v1.2.1 // indirect - github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e // indirect github.com/magiconair/properties v1.8.6 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.12 // indirect github.com/mattn/go-isatty v0.0.14 // indirect github.com/mattn/go-runewidth v0.0.13 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect - github.com/mitchellh/copystructure v1.2.0 // indirect - github.com/mitchellh/go-homedir v1.1.0 // indirect - github.com/mitchellh/go-testing-interface v1.14.1 // indirect - github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de // indirect - github.com/oklog/run v1.1.0 // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/olekukonko/tablewriter v0.0.5 // indirect github.com/onsi/ginkgo v1.16.5 // indirect @@ -222,7 +234,6 @@ require ( github.com/opentracing/opentracing-go v1.2.0 // indirect github.com/pelletier/go-toml v1.9.5 // indirect github.com/pelletier/go-toml/v2 v2.0.1 // indirect - github.com/pierrec/lz4 v2.6.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_golang v1.12.1 // indirect @@ -234,7 +245,6 @@ require ( github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect github.com/rivo/uniseg v0.2.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect - github.com/ryanuber/go-glob v1.0.0 // indirect github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect github.com/segmentio/ksuid v1.0.4 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect @@ -248,7 +258,6 @@ require ( github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect github.com/thales-e-security/pool v0.0.2 // indirect - github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect github.com/urfave/cli v1.22.5 // indirect github.com/vbatts/tar-split v0.11.2 // indirect @@ -281,29 +290,20 @@ require ( go.opentelemetry.io/otel/sdk/metric v0.20.0 // indirect go.opentelemetry.io/otel/trace v0.20.0 // indirect go.opentelemetry.io/proto/otlp v0.12.0 // indirect - go.uber.org/atomic v1.9.0 // indirect go.uber.org/automaxprocs v1.4.0 // indirect go.uber.org/multierr v1.7.0 // indirect - golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect - golang.org/x/net v0.0.0-20220526153639-5463443f8c37 // indirect golang.org/x/sync v0.0.0-20220513210516-0976fa681c29 // indirect - golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect golang.org/x/text v0.3.7 // indirect - golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect golang.org/x/tools v0.1.10 // indirect golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20220527130721-00d5c0f3be58 // indirect - google.golang.org/grpc v1.47.0 // indirect - google.golang.org/protobuf v1.28.0 // indirect gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.66.4 // indirect gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect - gopkg.in/square/go-jose.v2 v2.6.0 // indirect - gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.23.4 // indirect k8s.io/gengo v0.0.0-20220307231824-4627b89bbf1b // indirect diff --git a/pkg/cosign/tuf/client.go b/pkg/cosign/tuf/client.go index 1d28128877c..03d6cb029dc 100644 --- a/pkg/cosign/tuf/client.go +++ b/pkg/cosign/tuf/client.go @@ -234,7 +234,7 @@ func GetRootStatus(ctx context.Context) (*RootStatus, error) { // targets in a targets/ subfolder. // * forceUpdate: indicates checking the remote for an update, even when the local // timestamp.json is up to date. -func initializeTUF(ctx context.Context, mirror string, root []byte, embedded fs.FS, forceUpdate bool) (*TUF, error) { +func initializeTUF(mirror string, root []byte, embedded fs.FS, forceUpdate bool) (*TUF, error) { singletonTUFOnce.Do(func() { t := &TUF{ mirror: mirror, @@ -247,7 +247,7 @@ func initializeTUF(ctx context.Context, mirror string, root []byte, embedded fs. return } - t.remote, singletonTUFErr = remoteFromMirror(ctx, t.mirror) + t.remote, singletonTUFErr = remoteFromMirror(t.mirror) if singletonTUFErr != nil { return } @@ -295,7 +295,8 @@ func initializeTUF(ctx context.Context, mirror string, root []byte, embedded fs. return singletonTUF, singletonTUFErr } -func NewFromEnv(ctx context.Context) (*TUF, error) { +// TODO: Remove ctx arg. +func NewFromEnv(_ context.Context) (*TUF, error) { // Check for the current remote mirror. mirror := GetRemoteRoot() b, err := os.ReadFile(cachedRemote(rootCacheDir())) @@ -307,12 +308,12 @@ func NewFromEnv(ctx context.Context) (*TUF, error) { } // Initializes a new TUF object from the local cache or defaults. - return initializeTUF(ctx, mirror, nil, GetEmbedded(), false) + return initializeTUF(mirror, nil, GetEmbedded(), false) } func Initialize(ctx context.Context, mirror string, root []byte) error { // Initialize the client. Force an update with remote. - if _, err := initializeTUF(ctx, mirror, root, GetEmbedded(), true); err != nil { + if _, err := initializeTUF(mirror, root, GetEmbedded(), true); err != nil { return err } @@ -683,9 +684,9 @@ func noCache() bool { return b } -func remoteFromMirror(ctx context.Context, mirror string) (client.RemoteStore, error) { +func remoteFromMirror(mirror string) (client.RemoteStore, error) { if _, parseErr := url.ParseRequestURI(mirror); parseErr != nil { - return GCSRemoteStore(ctx, mirror, nil) + mirror = fmt.Sprintf("https://%s.storage.googleapis.com", mirror) } return client.HTTPRemoteStore(mirror, nil, nil) } diff --git a/pkg/cosign/tuf/store.go b/pkg/cosign/tuf/store.go deleted file mode 100644 index b4b44597719..00000000000 --- a/pkg/cosign/tuf/store.go +++ /dev/null @@ -1,96 +0,0 @@ -// -// Copyright 2021 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package tuf - -import ( - "context" - "fmt" - "io" - "net/http" - "path" - "regexp" - "strings" - - "github.com/theupdateframework/go-tuf/client" -) - -// This is a partial validation. -// Full bucket naming rules here: https://cloud.google.com/storage/docs/naming-buckets -var bucketRE = regexp.MustCompile("^[a-z0-9][a-z0-9-_.]{1,61}[a-z0-9]$") - -type GcsRemoteOptions struct { - MetadataPath string - TargetsPath string -} - -type gcsRemoteStore struct { - bucket string - ctx context.Context - opts *GcsRemoteOptions -} - -func validBucketName(b string) bool { - if !bucketRE.MatchString(b) { - return false - } - if strings.HasPrefix(b, "goog") { - return false - } - if strings.Contains(b, "google") { - return false - } - return true -} - -// GCSRemoteStore is a remote store for TUF metadata on GCS. -func GCSRemoteStore(ctx context.Context, bucket string, opts *GcsRemoteOptions) (client.RemoteStore, error) { - if opts == nil { - opts = &GcsRemoteOptions{} - } - if opts.TargetsPath == "" { - opts.TargetsPath = "targets" - } - if !validBucketName(bucket) { - return nil, fmt.Errorf("bucket name %q is invalid", bucket) - } - return &gcsRemoteStore{ctx: ctx, bucket: bucket, opts: opts}, nil -} - -func (h *gcsRemoteStore) GetMeta(name string) (io.ReadCloser, int64, error) { - return h.get(path.Clean(path.Join(h.opts.MetadataPath, name))) -} - -func (h *gcsRemoteStore) GetTarget(name string) (io.ReadCloser, int64, error) { - return h.get(path.Clean(path.Join(h.opts.TargetsPath, name))) -} - -func (h *gcsRemoteStore) get(path string) (io.ReadCloser, int64, error) { - url := fmt.Sprintf("https://%s.storage.googleapis.com/%s", h.bucket, path) - resp, err := http.Get(url) // nolint:gosec - if err != nil { - return nil, 0, client.ErrNotFound{File: path} - } - switch resp.StatusCode { - case http.StatusOK: - return resp.Body, resp.ContentLength, nil - case http.StatusNotFound: - return nil, 0, client.ErrNotFound{File: path} - default: - defer resp.Body.Close() - all, _ := io.ReadAll(resp.Body) - return nil, 0, fmt.Errorf("GET %q: %s", url, string(all)) - } -} diff --git a/pkg/cosign/tuf/store_test.go b/pkg/cosign/tuf/store_test.go deleted file mode 100644 index 59b3582873c..00000000000 --- a/pkg/cosign/tuf/store_test.go +++ /dev/null @@ -1,49 +0,0 @@ -// -// Copyright 2022 The Sigstore Authors. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package tuf - -import "testing" - -func TestValidBucketName(t *testing.T) { - for _, good := range []string{ - "sigstore-tuf-root", - "a1z", - "0z0", - "a-z", // internal dashes are allowed. - "a_z", // internal underscores are allowed. - "hello.example.com", - } { - t.Run(good, func(t *testing.T) { - if !validBucketName(good) { - t.Error("expected bucket name to be valid") - } - }) - } - - for _, bad := range []string{ - "goog-prefix", - "contains-google", - "-starts-with-dash", - "ends-with-dash-", - "too-much-YELLING", - } { - t.Run(bad, func(t *testing.T) { - if validBucketName(bad) { - t.Error("expected bucket name to be invalid") - } - }) - } -} From 7e713e5583d025d1bb5b9f88563e2da05bbfeb7a Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Tue, 7 Jun 2022 12:01:00 -0400 Subject: [PATCH 5/7] Add comment about GCS->HTTP fallback Signed-off-by: Jason Hall --- pkg/cosign/tuf/client.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/cosign/tuf/client.go b/pkg/cosign/tuf/client.go index 03d6cb029dc..3a8daabc119 100644 --- a/pkg/cosign/tuf/client.go +++ b/pkg/cosign/tuf/client.go @@ -685,6 +685,7 @@ func noCache() bool { } func remoteFromMirror(mirror string) (client.RemoteStore, error) { + // This is for compatibility with specifying a GCS bucket remote. if _, parseErr := url.ParseRequestURI(mirror); parseErr != nil { mirror = fmt.Sprintf("https://%s.storage.googleapis.com", mirror) } From 29956a5f50e39ef2c3b01c7f9b4399e03d491661 Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Tue, 7 Jun 2022 15:04:28 -0400 Subject: [PATCH 6/7] update DefaultRemoteRoot Signed-off-by: Jason Hall --- pkg/cosign/tuf/client.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cosign/tuf/client.go b/pkg/cosign/tuf/client.go index 3a8daabc119..3388679eb4a 100644 --- a/pkg/cosign/tuf/client.go +++ b/pkg/cosign/tuf/client.go @@ -42,7 +42,7 @@ import ( ) const ( - DefaultRemoteRoot = "sigstore-tuf-root" + DefaultRemoteRoot = "https://sigstore-tuf-root.storage.googleapis.com" TufRootEnv = "TUF_ROOT" SigstoreNoCache = "SIGSTORE_NO_CACHE" ) From 3083fef066854fa5f35766e32b01655bea02d734 Mon Sep 17 00:00:00 2001 From: Jason Hall Date: Tue, 7 Jun 2022 16:51:39 -0400 Subject: [PATCH 7/7] make docgen Signed-off-by: Jason Hall --- doc/cosign_initialize.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/cosign_initialize.md b/doc/cosign_initialize.md index 0fed05c0793..0883071f304 100644 --- a/doc/cosign_initialize.md +++ b/doc/cosign_initialize.md @@ -41,7 +41,7 @@ cosign initialize -mirror -root ``` -h, --help help for initialize - --mirror string GCS bucket to a SigStore TUF repository or HTTP(S) base URL (default "sigstore-tuf-root") + --mirror string GCS bucket to a SigStore TUF repository or HTTP(S) base URL (default "https://sigstore-tuf-root.storage.googleapis.com") --root string path to trusted initial root. defaults to embedded root ```